Conversation
Jarkko Sakkinen
jarkko
Edited yesterday
yay, now tpm2sh has software digest calculator for policy expressions (which can query e.g. PCR values but does not exercise policy tpm commands), the remaining errata is not a huge stretch:
https://github.com/puavo-org/tpm2sh/issues/2
Many of the things are just minor collapses while turning this over and over again. Sessions need still a bit of work but lot of the functionality is already there...
I'd like to add quote generation etc. for Remote Attestation purposes but it is definitely out of scope and better just to stabilize the command set.
Sessions are represented like this (to be cosmetic tweaked in some places):
session://handle=0x02000000;nonce=135eac83db00e0c691fba1653405e79f8f285964e18add0488337fc7caf90606;attrs=00;key=;alg=sha256
And there's already `--session` argument but further I'll add an environment variable TPM2SH_SESSION, which command not only read but also update (to enable chaining e.g., nonce needs to be updated).
The general gist and main goal of the command set and "command-line experience" is to enable both user interactive experience and also TPM2 access for shell implemented tools such as password managers.
Load loads both external PKCS#8 and TPM ASN.1. Convert command converts PKCS#8 to TPM ASN.1.
So instead of this:
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
You can just:
tpm2sh create-primary rsa:2048:sha256 --output file://owner.txt
openssl genrsa -out private.pem 2048
tpm2sh convert --parent "tpm://0x81000001" file://private.pem --output file://key.priv.der
#linux #rust #tpm
https://github.com/puavo-org/tpm2sh/issues/2
Many of the things are just minor collapses while turning this over and over again. Sessions need still a bit of work but lot of the functionality is already there...
I'd like to add quote generation etc. for Remote Attestation purposes but it is definitely out of scope and better just to stabilize the command set.
Sessions are represented like this (to be cosmetic tweaked in some places):
session://handle=0x02000000;nonce=135eac83db00e0c691fba1653405e79f8f285964e18add0488337fc7caf90606;attrs=00;key=;alg=sha256
And there's already `--session` argument but further I'll add an environment variable TPM2SH_SESSION, which command not only read but also update (to enable chaining e.g., nonce needs to be updated).
The general gist and main goal of the command set and "command-line experience" is to enable both user interactive experience and also TPM2 access for shell implemented tools such as password managers.
Load loads both external PKCS#8 and TPM ASN.1. Convert command converts PKCS#8 to TPM ASN.1.
So instead of this:
tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
You can just:
tpm2sh create-primary rsa:2048:sha256 --output file://owner.txt
openssl genrsa -out private.pem 2048
tpm2sh convert --parent "tpm://0x81000001" file://private.pem --output file://key.priv.der
#linux #rust #tpm
1
2
1
I'll likely fix those glitches within a week or so and then it's ready for release :-)
The key insight here is that 50% of hardware is realized the software that creates interface for it, and for TPM2 the "software defined object" portion has been quite horrible :-) And it's pretty bad across the board form programming interfaces to tooling with absolutely no developer or sysadmin ergonomics consider anywhere.
On the other hand, by having right kind of software interface for TPM2, makes it like it was a completely new piece of hardware that did not exist before. I.e. not a brick.
The key insight here is that 50% of hardware is realized the software that creates interface for it, and for TPM2 the "software defined object" portion has been quite horrible :-) And it's pretty bad across the board form programming interfaces to tooling with absolutely no developer or sysadmin ergonomics consider anywhere.
On the other hand, by having right kind of software interface for TPM2, makes it like it was a completely new piece of hardware that did not exist before. I.e. not a brick.
0
0
0